...
Jira No | Summary | Description | Status | Solution | |||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
LFN Developer & Testing Forum | Event June 13th-16th Porto, Portugal Please register: | Issue raised with SECCOM by Kohei - About Critical Information Leak | Ticket to be open to SDNC – last message to SECCOM on token and logins/passwords. | started | Ticket to be opened to SDNC: https://jiraevents.onaplinuxfoundation.org/browse/SDNClfn-1691 - done Confirmation e-mail to be sent to Kohei - done | CPS gold badge | 2 tickets created at LFN IT:
| started | Istanbul Maintenance Release Notes | https://jira.onap.org/browse/CCSDK-3602: malformed table, needs to be fixed! https://jira.onap.org/browse/SDNC-1670: AAF transitive dependency | ongoing | PTLs meeting on April 4th |
| ongoing | We shall provide SECCOM proposal/ recommendation for unmaintained projects to TSC, synch up with Architecture Subcommittee is needed, Byung will check with Chaker. Amy to draft proposal by end of this week and send to SECCOM distribution list. | TSC meeting on March 31st: |
| ongoing | SBOM status update | Vijay turned flag on. To be followed up with Jess. SBOM for Python? Fabin is using Trivy with CycloneDX format. No option for SPDX. | ongoing | Tony to re-share the e-mail. | Updates to Secure Design Questionnaire - Maggie | started | |||
SECCOM topics proposal:
| |||||||||||||||||||||||||||
Synch with OOM |
1.SDC-3954 3.OOM-2957
1.OOM-2958 2.INT-2104 | ||||||||||||||||||||||||||
Asessment model | Muddasar presented a proposal for 5Y assessment model:
Assesment should be for a ONAP project as a whole. Report should be actionable - movement rule from level to the other is defined. It should also include process or tool improvement recommendation. We could use SAMM tool and some of our and their questions to have quick and easy asessment. Risk/threat model to be used. Asessment models are usually based on interviews. | started | |||||||||||||||||||||||||
Issue raised with SECCOM by Kohei - About Critical Information Leak | Ticket was opened to SDNC: https://jira.onap.org/browse/SDNC-1691 log file was removed from the Wiki. | started | Confirmation e-mail to be sent to Kohei by Amy. | ||||||||||||||||||||||||
Synch with Architecture Subcommittee | -LF Security conformance - Byung Amy saw presentation of LF CEO -Unmaintained projects proposals - Byung We focus on Portal first and then on AAF. | started | Byung to send an e-mail to Kenny to get LFX Security presentation for SECCOM. | ||||||||||||||||||||||||
Code quality | Fabian provided a presentation:
In clean as you code developer shall be motivated. Quality gate conditions shall be generalized. Usage of Sonarlint allows for faster detection (on the fly) comparing to Conarccloud. Security hotspots, we need to have a reviewer in this arrea that would do the action (e.g. acknowledge). Jiras were setup in a special way. Commercial tool provides a way to fix the issue. | ongoing | |||||||||||||||||||||||||
CPS gold badge | 2 tickets created at LFN IT:
Bruno mentioned:
| started | E-mail to be shared with Bruno o tickets and links - done | No additional comments.
| ongoing | Security logging update – Bob | PoC phase, communication with Toine. Synch with Byung needed. | ongoing | Bob to contact Byung. | Linux Security Summit - CFP |
| ongoing | SBOM visibility to be created in the deck - consultancy with Muddasar is planned. | Next ONAP F2F | https://events.linuxfoundation.org/lfn-developer-testing-forum/ - registration open | started | Please consider your personal particiapation, so SECCOM team could meet again . | ||||||||||
SECCOM MEETING CALL WILL BE HELD ON 19th OF April'22. Quality gates for code quality improvements - Fabian's presentation. SonarCloud fixing with new code focus. |
Recording:
View file | ||||
---|---|---|---|---|
|
...
View file | ||||
---|---|---|---|---|
|
SECCOM presentation:
View file | ||||
---|---|---|---|---|
|